2023-12-19

This release contains the following security update, which applies specifically to usage of the proxy with O365 and the client credentials grant (CCG) flow:

• Fix an issue where expired tokens could be renewed automatically without checking their validity against the original account configuration.
   
  When using the CCG flow, an attacker with knowledge of valid account addresses and careful timing (i.e., attempting to log in during a period from 10 minutes prior to the token expiry time, but before a valid login is received) could use this to gain access to an account.
   
  If you use this flow, but have also set encrypt_client_secret_on_first_use = True and removed the original client_secret value from the proxy's configuration file then this issue is not a concern.
   
  The CCG authentication flow is a specialist non-default use-case that requires extra configuration, and for most users of the proxy this issue will not be a concern. However, if you are using this flow – particularly if this is in a publicly-accessible context – upgrading is highly recommended.

Thanks to @gerneio for prompting further investigation of the CCG flow implementation, which led to the discovery of this issue. In addition, thanks to @w5pny and @Profex for pointing out that this release reports the wrong version string (2023-11-19 rather than 2023-12-19). This oversight has no affect on the proxy or the security fix, and there is now a pre-commit hook to make sure version numbers are always updated in future.